semantic-release 21.0.1 → 21.0.3-beta.1

package/README.md

@@ -41,6 +41,7 @@ This removes the immediate connection between human emotions and version numbers
 - Avoid potential errors associated with manual releases
 - Support any [package managers and languages](docs/recipes/release-workflow/README.md#package-managers-and-languages) via [plugins](docs/usage/plugins.md)
 - Simple and reusable configuration via [shareable configurations](docs/usage/shareable-configurations.md)
+- Support for [npm package provenance](https://github.com/semantic-release/npm#npm-provenance) that promotes increased supply-chain security via signed attestations on GitHub Actions
 
 ## How does it work?
 

package/docs/developer-guide/js-api.md

@@ -142,7 +142,7 @@ Information related to the last release found:
 | gitTag  | `String` | The [Git tag](https://git-scm.com/book/en/v2/Git-Basics-Tagging) associated with the last release.                                  |
 | channel | `String` | The distribution channel on which the last release was initially made available (`undefined` for the default distribution channel). |
 
-**Notes**: If no previous release is found, `lastRelease` will be an empty `Object`.
+**Note**: If no previous release is found, `lastRelease` will be an empty `Object`.
 
 Example:
 

package/docs/extending/plugins-list.md

@@ -174,3 +174,11 @@
 - [semantic-release-coralogix](https://github.com/adobe/semantic-release-coralogix)
   - `verifyConditions` Verified that required credentials are provided and API is accessible
   - `publish` add a release tag to Coralogix
+- [semantic-release-major-tag](https://github.com/doteric/semantic-release-major-tag)
+  - `success` Create major version tag, for example `v1`.
+- [semantic-release-yarn](https://github.com/hongaar/semantic-release-yarn)
+  - **Note**: this is an alternative to the default `@semantic-release/npm` plugin and adds support for monorepos.
+  - `verifyConditions` Verify Yarn 2 or higher is installed, verify the presence of a NPM auth token (either in an environment variable or a `.yarnrc.yml` file) and verify the authentication method is valid.
+  - `prepare` Update the `package.json` version and create the package tarball.
+  - `addChannel` Add a tag for the release.
+  - `publish` Publish to the npm registry.

package/docs/recipes/ci-configurations/github-actions.md

@@ -6,6 +6,11 @@ The [Authentication](../../usage/ci-configuration.md#authentication) environment
 
 In this example a publish type [`NPM_TOKEN`](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) is required to publish a package to the npm registry. GitHub Actions [automatically populate](https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret) a [`GITHUB_TOKEN`](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) environment variable which can be used in Workflows.
 
+## npm provenance
+
+Since GitHub Actions is a [supported provider](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations) for [npm provenance](https://docs.npmjs.com/generating-provenance-statements), it is recommended to enable this to increase supply-chain security for your npm packages.
+Find more detail about configuring npm to publish with provenance through semantic-release [in the documentation for our npm plugin](https://github.com/semantic-release/npm#npm-provenance).
+
 ## Node project configuration
 
 [GitHub Actions](https://github.com/features/actions) support [Workflows](https://help.github.com/en/articles/configuring-workflows), allowing to run tests on multiple Node versions and publish a release only when all test pass.
@@ -23,10 +28,19 @@ on:
   push:
     branches:
       - master
+
+permissions:
+  contents: read # for checkout
+
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -37,7 +51,9 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Install dependencies
-        run: npm ci
+        run: npm clean-install
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/docs/usage/installation.md

@@ -24,9 +24,28 @@ For other type of projects we recommend installing **semantic-release** directly
 $ npx semantic-release
 ```
 
-**Note**: For a global installation, it's recommended to specify the major **semantic-release** version to install (for example with `npx semantic-release@18`).
-This way your build will not automatically use the next major **semantic-release** release that could possibly break your build.
-You will have to upgrade manually when a new major version is released.
-
-**Note**: `npx` is a tool bundled with `npm@>=5.2.0`. It is used to conveniently install the semantic-release binary and to execute it.
-See [What is npx](../support/FAQ.md#what-is-npx) for more details.
+### Notes
+
+1. If you've globally installed **semantic-release** then we recommend that you set the major **semantic-release** version to install.
+   For example, by using `npx semantic-release@18`.
+   This way you control which major version of **semantic-release** is used by your build, and thus avoid breaking the build when there's a new major version of **semantic-release**.
+   This also means you, or a bot, must upgrade **semantic-release** when a new major version is released.
+2. Pinning **semantic-release** to an exact version makes your releases even more deterministic.
+   But pinning also means you, or a bot, must update to newer versions of **semantic-release** more often.
+3. You can use [Renovate's regex manager](https://docs.renovatebot.com/modules/manager/regex/) to get automatic updates for **semantic-release** in either of the above scenarios.
+   Put this in your Renovate configuration file:
+   ```json
+   {
+     "regexManagers": [
+       {
+         "description": "Update semantic-release version used by npx",
+         "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"],
+         "matchStrings": ["\\srun: npx semantic-release@(?<currentValue>.*?)\\s"],
+         "datasourceTemplate": "npm",
+         "depNameTemplate": "semantic-release"
+       }
+     ]
+   }
+   ```
+4. `npx` is a tool bundled with `npm@>=5.2.0`. You can use it to install (and run) the **semantic-release** binary.
+   See [What is npx](../support/FAQ.md#what-is-npx) for more details.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "semantic-release",
   "description": "Automated semver compliant package publishing",
-  "version": "21.0.1",
+  "version": "21.0.3-beta.1",
   "type": "module",
   "author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
   "ava": {
@@ -28,9 +28,9 @@
   "dependencies": {
     "@semantic-release/commit-analyzer": "^9.0.2",
     "@semantic-release/error": "^3.0.0",
-    "@semantic-release/github": "^8.0.0",
+    "@semantic-release/github": "9.0.0-beta.2",
     "@semantic-release/npm": "^10.0.2",
-    "@semantic-release/release-notes-generator": "^10.0.0",
+    "@semantic-release/release-notes-generator": "^11.0.0",
     "aggregate-error": "^4.0.1",
     "cosmiconfig": "^8.0.0",
     "debug": "^4.0.0",
@@ -57,23 +57,22 @@
   },
   "devDependencies": {
     "ava": "5.2.0",
-    "c8": "7.13.0",
+    "c8": "7.14.0",
     "clear-module": "4.1.2",
     "codecov": "3.8.3",
-    "delay": "5.0.0",
     "dockerode": "3.3.5",
     "file-url": "4.0.0",
     "fs-extra": "11.1.1",
     "got": "12.6.0",
     "js-yaml": "4.1.0",
     "mockserver-client": "5.15.0",
-    "nock": "13.3.0",
+    "nock": "13.3.1",
     "p-retry": "5.1.2",
-    "prettier": "2.8.7",
-    "sinon": "15.0.3",
+    "prettier": "2.8.8",
+    "sinon": "15.1.0",
     "stream-buffers": "3.0.2",
     "tempy": "3.0.0",
-    "testdouble": "3.17.2"
+    "testdouble": "3.18.0"
   },
   "engines": {
     "node": ">=18"